1625050 – (CVE-2018-16402) CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash

Bug 1625050 (CVE-2018-16402) - CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash

Summary: CVE-2018-16402 elfutils: Double-free due to double decompression of sections ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-16402
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1625051 1625052 1625399 1625400 1625401 1822312
Blocks:	1625054
TreeView+	depends on / blocked

Reported:	2018-09-04 04:26 UTC by Sam Fowler
Modified:	2020-04-14 17:41 UTC (History)
CC List:	23 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:19:14 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2197	0	None	None	None	2019-08-06 12:27:03 UTC
Red Hat Product Errata	RHSA-2020:1471	0	None	None	None	2020-04-14 17:41:11 UTC

Description Sam Fowler 2018-09-04 04:26:47 UTC

Elfutils through version 0.173 is vulnerable to a double-free in the libelf/elf_end.c:elf_end() function due to the decompression of section data multiple times.. An attacker could exploit this to cause a crash or possibly have unspecified other impact via a crafted ELF.


Upstream Bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=23528


Upstream Patch:

https://sourceware.org/git/?p=elfutils.git;a=patch;h=56b18521fb8d46d40fc090c0de9d11a08bc982fa

Comment 1 Sam Fowler 2018-09-04 04:27:37 UTC

Created elfutils tracking bugs for this issue:

Affects: fedora-all [bug 1625051]

Comment 4 Scott Gayou 2018-09-04 19:46:04 UTC

Reproduced on 7+ quite easily. Did not reproduce on 5/6. 6 was running 0.164.

Comment 6 Mark Wielaard 2018-09-04 20:03:42 UTC

(In reply to Scott Gayou from comment #4)
> Reproduced on 7+ quite easily. Did not reproduce on 5/6. 6 was running 0.164.

That makes sense, support for compressed ELF sections was introduced in elfutils 0.165.

Comment 9 errata-xmlrpc 2019-08-06 12:27:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2197 https://access.redhat.com/errata/RHSA-2019:2197

Comment 10 Product Security DevOps Team 2019-08-06 13:19:14 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16402

Comment 12 errata-xmlrpc 2020-04-14 17:41:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1471 https://access.redhat.com/errata/RHSA-2020:1471

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
bmcclain
dbaker
dblechte
dfediuck
drepper
eedri
fche
jakub
jokerman
kanderso
mcermak
me
mgoldboi
michal.skrivanek
mjw
mjw
mnewsome
ohudlick
sbonazzo
sherold
sthangav
trankin